Decrypting OpenLDAP passwords

odtf picture odtf · May 9, 2011 · Viewed 12.8k times · Source

I have a set of users in my OpenLDAP and i wish to get some information from them, for example "cn" and "userPassword".

However when i retrieve these details the password isnt in plain text even though it is set to this in my LDAP server.

Any ideas how to solve this?

Answer

JPBlanc picture JPBlanc · May 9, 2011

The userPassword is generaly store in hashed form

userPassword: {hasAlgorithm}Hashed value

Example :

userPassword: {SSHA}DkMTwBl+a/3DQTxCYEApdUtNXGgdUac3

The userPassword attribute is allowed to have more than one value, and it is possible for each value to be stored in a different form. During authentication, slapd will iterate through the values until it finds one that matches the offered password or until it runs out of values to inspect. The storage scheme is stored as a prefix on the value

You can have :

CRYPT

This scheme uses the operating system's crypt(3) hash function. It normally produces the traditional Unix-style 13 character hash, but on systems with glibc2 it can also generate the more secure 34-byte MD5 hash

MD5

This scheme simply takes the MD5 hash of the password and stores it in base64 encoded form

SMD5

This improves on the basic MD5 scheme by adding salt (random data which means that there are many possible representations of a given plaintext password). For example, both of these values represent the same password

SSHA

This is the salted version of the SHA scheme. It is believed to be the most secure password storage scheme supported by slapd

Conclusion

Most of the time you don't have to recover password, You just have to compute the hash from the password given by the user in the login form and compare it with the one of userPassword.